API Penetration Testing
Manual, business-logic-aware penetration testing of REST, GraphQL, gRPC, and SOAP APIs — aligned with the OWASP API Security Top 10 (2023) and OWASP ASVS.
Why APIs Need Dedicated Testing
APIs expose business logic directly, frequently process sensitive data with weaker browser-style defences, and account for the majority of breach surface in modern applications. Vulnerabilities — particularly broken object-level authorisation (BOLA), broken function-level authorisation (BFLA), and excessive data exposure — are rarely detectable by signature-driven scanners and require deep understanding of business intent.
Coverage
OWASP API Security Top 10 (2023)
- API1 — Broken Object Level Authorisation
- API2 — Broken Authentication
- API3 — Broken Object Property Level Authorisation
- API4 — Unrestricted Resource Consumption
- API5 — Broken Function Level Authorisation
- API6 — Unrestricted Access to Sensitive Business Flows
- API7 — Server Side Request Forgery
- API8 — Security Misconfiguration
- API9 — Improper Inventory Management
- API10 — Unsafe Consumption of APIs
Protocol Support
- REST (OpenAPI / Swagger driven)
- GraphQL — introspection, query depth, alias-based DoS, batched queries
- gRPC — protobuf reflection and reverse engineering
- SOAP — XML-specific attacks, WS-Security misuse
- WebSocket and Server-Sent Events
Engagement Inputs
Testing is most effective with documented inputs: OpenAPI / Swagger / GraphQL schema, Postman collection, authentication credentials at multiple authorisation levels, and example request bodies. Where documentation is absent, we perform documented reconnaissance and inventory work as a prerequisite phase.